From 0248d272d95d8e072791aca6caa9163201aaa0ac Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 16 Jan 2026 09:17:45 +0000 Subject: [PATCH] import OL vsftpd-3.0.5-10.el10_1.1 --- .gitignore | 2 +- .vsftpd.metadata | 1 - ...-provided-script-to-locate-libraries.patch | 0 ... 0001-Fix-timestamp-handling-in-MDTM.patch | 2 +- ...ve-closing-standard-FDs-after-listen.patch | 0 ...out-the-ftp_home_dir-SELinux-boolean.patch | 0 ...e-until-it-succeeds-if-it-fails-with.patch | 3 +- ...rted-only-after-record-insertion-rem.patch | 2 +- 0002-Drop-an-unused-global-variable.patch | 56 +++++ ....patch => 0002-Enable-build-with-SSL.patch | 0 ...tch => 0002-Prevent-recursion-in-bug.patch | 0 ...at-pututxline-if-it-fails-with-EINTR.patch | 2 +- ...> 0003-Enable-build-with-TCP-Wrapper.patch | 0 ...-dir-for-config-files-instead-of-etc.patch | 0 ...en-calling-PAM-authentication-module.patch | 0 ...err-before-listening-for-incoming-co.patch | 0 ...> 0007-Make-filename-filters-smarter.patch | 0 ...008-Write-denied-logins-into-the-log.patch | 0 ...itespaces-when-reading-configuration.patch | 0 ...ng.patch => 0010-Improve-daemonizing.patch | 0 ...-Fix-listing-with-more-than-one-star.patch | 0 ...lace-syscall-__NR_clone-.-with-clone.patch | 0 ...3-Extend-man-pages-with-systemd-info.patch | 0 ...dd-support-for-square-brackets-in-ls.patch | 0 ...ch => 0015-Listen-on-IPv6-by-default.patch | 0 ...e-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch | 0 ...-an-issue-with-timestamps-during-DST.patch | 0 ...he-default-log-file-in-configuration.patch | 0 ...troduce-reverse_lookup_enable-option.patch | 0 ...d-int-for-uid-and-gid-representation.patch | 0 ...llow-crypto-policies-for-ssl-ciphers.patch | 39 +++ ...s-for-TLS-ciphersuites-and-DH-params.patch | 135 +++++++++++ ...n-for-isolate_-options.-Correct-defa.patch | 0 ... 0024-Introduce-new-return-value-450.patch | 0 ...> 0025-Improve-local_max_rate-option.patch | 4 +- ...6-Prevent-hanging-in-SIGCHLD-handler.patch | 0 ... 0027-Delete-files-when-upload-fails.patch | 0 ...patch => 0028-Fix-man-page-rendering.patch | 0 ...9-Fix-segfault-in-config-file-parser.patch | 0 ...g-into-syslog-when-enabled-in-config.patch | 0 ...on-mark-wildcard-withing-a-file-name.patch | 0 ...errors-from-nfs-with-quota-to-client.patch | 0 ...omp-sandbox-because-it-is-too-strict.patch | 0 ... 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch | 0 ...ationship-of-text_userdb_names-and-c.patch | 0 ...low_writeable_chroot-in-the-man-page.patch | 0 ...tation-of-ASCII-mode-in-the-man-page.patch | 0 ...AT-command-check-ssl_tlsv1_1-and-ssl.patch | 2 +- ...nymous_enable-in-default-config-file.patch | 0 ...on-of-ascii_-options-behaviour-in-ma.patch | 0 ...r-to-the-man-page-regarding-the-asci.patch | 0 ...=> 0047-Disable-tcp_wrappers-support.patch | 0 ...e-of-strict_ssl_read_eof-in-man-page.patch | 0 ...-generation-algorithm-for-STOU-comma.patch | 0 ...patch => 0050-Don-t-link-with-libnsl.patch | 0 ...ation-of-better_stou-in-the-man-page.patch | 0 ...Pv6.patch => 0052-Fix-rDNS-with-IPv6.patch | 0 ...=> 0053-Always-do-chdir-after-chroot.patch | 0 ...imeo-Check-return-value-of-setsockop.patch | 0 ...tz-Check-the-return-value-of-syscall.patch | 0 ...atch => 0056-Log-die-calls-to-syslog.patch | 0 ...ssage-when-max-number-of-bind-attemp.patch | 0 ...e-max-number-of-bind-retries-tunable.patch | 0 ...when-running-in-a-container-as-PID-1.patch | 0 ...-support-for-DHE-based-cipher-suites.patch | 226 ------------------ ...upport-for-EDDHE-based-cipher-suites.patch | 136 ----------- ...ntroduce-TLSv1.1-and-TLSv1.2-options.patch | 153 ------------ ...ment-patch-to-build-with-OpenSSL-1.1.patch | 74 ------ .../0040-Use-system-wide-crypto-policy.patch | 27 --- ...-default-for-ssl_ciphers-in-the-man-.patch | 31 --- .../0043-Enable-only-TLSv1.2-by-default.patch | 53 ---- ...-add-option-for-tlsv1.3-ciphersuites.patch | 75 ------ ...ftpd-3.0.3-option_to_disable_TLSv1_3.patch | 132 ---------- fix-str_open.patch | 27 +++ sources | 1 + ...wc_logs-replace_unprintable_with_hex.patch | 0 ...replace-deprecated-openssl-functions.patch | 45 ++++ ...5-replace-old-network-addr-functions.patch | 139 +++++++++++ vsftpd-3.0.5-use-old-tlsv-options.patch | 15 ++ SOURCES/vsftpd-generator => vsftpd-generator | 0 SOURCES/vsftpd.ftpusers => vsftpd.ftpusers | 0 SOURCES/vsftpd.pam => vsftpd.pam | 0 SOURCES/vsftpd.service => vsftpd.service | 0 SPECS/vsftpd.spec => vsftpd.spec | 177 ++++++++++---- SOURCES/vsftpd.target => vsftpd.target | 0 SOURCES/vsftpd.user_list => vsftpd.user_list | 0 SOURCES/vsftpd.xinetd => vsftpd.xinetd | 0 SOURCES/vsftpd@.service => vsftpd@.service | 0 ..._conf_migrate.sh => vsftpd_conf_migrate.sh | 0 89 files changed, 592 insertions(+), 967 deletions(-) delete mode 100644 .vsftpd.metadata rename SOURCES/0001-Don-t-use-the-provided-script-to-locate-libraries.patch => 0001-Don-t-use-the-provided-script-to-locate-libraries.patch (100%) rename SOURCES/0001-Fix-timestamp-handling-in-MDTM.patch => 0001-Fix-timestamp-handling-in-MDTM.patch (99%) rename SOURCES/0001-Move-closing-standard-FDs-after-listen.patch => 0001-Move-closing-standard-FDs-after-listen.patch (100%) rename SOURCES/0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch => 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch (100%) rename SOURCES/0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch => 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch (97%) rename SOURCES/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch => 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch (96%) create mode 100644 0002-Drop-an-unused-global-variable.patch rename SOURCES/0002-Enable-build-with-SSL.patch => 0002-Enable-build-with-SSL.patch (100%) rename SOURCES/0002-Prevent-recursion-in-bug.patch => 0002-Prevent-recursion-in-bug.patch (100%) rename SOURCES/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch => 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch (97%) rename SOURCES/0003-Enable-build-with-TCP-Wrapper.patch => 0003-Enable-build-with-TCP-Wrapper.patch (100%) rename SOURCES/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch => 0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch (100%) rename SOURCES/0005-Use-hostname-when-calling-PAM-authentication-module.patch => 0005-Use-hostname-when-calling-PAM-authentication-module.patch (100%) rename SOURCES/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch => 0006-Close-stdin-out-err-before-listening-for-incoming-co.patch (100%) rename SOURCES/0007-Make-filename-filters-smarter.patch => 0007-Make-filename-filters-smarter.patch (100%) rename SOURCES/0008-Write-denied-logins-into-the-log.patch => 0008-Write-denied-logins-into-the-log.patch (100%) rename SOURCES/0009-Trim-whitespaces-when-reading-configuration.patch => 0009-Trim-whitespaces-when-reading-configuration.patch (100%) rename SOURCES/0010-Improve-daemonizing.patch => 0010-Improve-daemonizing.patch (100%) rename SOURCES/0011-Fix-listing-with-more-than-one-star.patch => 0011-Fix-listing-with-more-than-one-star.patch (100%) rename SOURCES/0012-Replace-syscall-__NR_clone-.-with-clone.patch => 0012-Replace-syscall-__NR_clone-.-with-clone.patch (100%) rename SOURCES/0013-Extend-man-pages-with-systemd-info.patch => 0013-Extend-man-pages-with-systemd-info.patch (100%) rename SOURCES/0014-Add-support-for-square-brackets-in-ls.patch => 0014-Add-support-for-square-brackets-in-ls.patch (100%) rename SOURCES/0015-Listen-on-IPv6-by-default.patch => 0015-Listen-on-IPv6-by-default.patch (100%) rename SOURCES/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch => 0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch (100%) rename SOURCES/0017-Fix-an-issue-with-timestamps-during-DST.patch => 0017-Fix-an-issue-with-timestamps-during-DST.patch (100%) rename SOURCES/0018-Change-the-default-log-file-in-configuration.patch => 0018-Change-the-default-log-file-in-configuration.patch (100%) rename SOURCES/0019-Introduce-reverse_lookup_enable-option.patch => 0019-Introduce-reverse_lookup_enable-option.patch (100%) rename SOURCES/0020-Use-unsigned-int-for-uid-and-gid-representation.patch => 0020-Use-unsigned-int-for-uid-and-gid-representation.patch (100%) create mode 100644 0021-Follow-crypto-policies-for-ssl-ciphers.patch create mode 100644 0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch rename SOURCES/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch => 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch (100%) rename SOURCES/0024-Introduce-new-return-value-450.patch => 0024-Introduce-new-return-value-450.patch (100%) rename SOURCES/0025-Improve-local_max_rate-option.patch => 0025-Improve-local_max_rate-option.patch (97%) rename SOURCES/0026-Prevent-hanging-in-SIGCHLD-handler.patch => 0026-Prevent-hanging-in-SIGCHLD-handler.patch (100%) rename SOURCES/0027-Delete-files-when-upload-fails.patch => 0027-Delete-files-when-upload-fails.patch (100%) rename SOURCES/0028-Fix-man-page-rendering.patch => 0028-Fix-man-page-rendering.patch (100%) rename SOURCES/0029-Fix-segfault-in-config-file-parser.patch => 0029-Fix-segfault-in-config-file-parser.patch (100%) rename SOURCES/0030-Fix-logging-into-syslog-when-enabled-in-config.patch => 0030-Fix-logging-into-syslog-when-enabled-in-config.patch (100%) rename SOURCES/0031-Fix-question-mark-wildcard-withing-a-file-name.patch => 0031-Fix-question-mark-wildcard-withing-a-file-name.patch (100%) rename SOURCES/0032-Propagate-errors-from-nfs-with-quota-to-client.patch => 0032-Propagate-errors-from-nfs-with-quota-to-client.patch (100%) rename SOURCES/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch => 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch (100%) rename SOURCES/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch => 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch (100%) rename SOURCES/0037-Document-the-relationship-of-text_userdb_names-and-c.patch => 0037-Document-the-relationship-of-text_userdb_names-and-c.patch (100%) rename SOURCES/0038-Document-allow_writeable_chroot-in-the-man-page.patch => 0038-Document-allow_writeable_chroot-in-the-man-page.patch (100%) rename SOURCES/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch => 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch (100%) rename SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch => 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch (91%) rename SOURCES/0044-Disable-anonymous_enable-in-default-config-file.patch => 0044-Disable-anonymous_enable-in-default-config-file.patch (100%) rename SOURCES/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch => 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch (100%) rename SOURCES/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch => 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch (100%) rename SOURCES/0047-Disable-tcp_wrappers-support.patch => 0047-Disable-tcp_wrappers-support.patch (100%) rename SOURCES/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch => 0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch (100%) rename SOURCES/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch => 0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch (100%) rename SOURCES/0050-Don-t-link-with-libnsl.patch => 0050-Don-t-link-with-libnsl.patch (100%) rename SOURCES/0051-Improve-documentation-of-better_stou-in-the-man-page.patch => 0051-Improve-documentation-of-better_stou-in-the-man-page.patch (100%) rename SOURCES/0052-Fix-rDNS-with-IPv6.patch => 0052-Fix-rDNS-with-IPv6.patch (100%) rename SOURCES/0053-Always-do-chdir-after-chroot.patch => 0053-Always-do-chdir-after-chroot.patch (100%) rename SOURCES/0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch => 0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch (100%) rename SOURCES/0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch => 0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch (100%) rename SOURCES/0056-Log-die-calls-to-syslog.patch => 0056-Log-die-calls-to-syslog.patch (100%) rename SOURCES/0057-Improve-error-message-when-max-number-of-bind-attemp.patch => 0057-Improve-error-message-when-max-number-of-bind-attemp.patch (100%) rename SOURCES/0058-Make-the-max-number-of-bind-retries-tunable.patch => 0058-Make-the-max-number-of-bind-retries-tunable.patch (100%) rename SOURCES/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch => 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch (100%) delete mode 100644 SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch delete mode 100644 SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch delete mode 100644 SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch delete mode 100644 SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch delete mode 100644 SOURCES/0040-Use-system-wide-crypto-policy.patch delete mode 100644 SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch delete mode 100644 SOURCES/0043-Enable-only-TLSv1.2-by-default.patch delete mode 100644 SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch delete mode 100644 SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch create mode 100644 fix-str_open.patch create mode 100644 sources rename SOURCES/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch => vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch (100%) create mode 100644 vsftpd-3.0.5-replace-deprecated-openssl-functions.patch create mode 100644 vsftpd-3.0.5-replace-old-network-addr-functions.patch create mode 100644 vsftpd-3.0.5-use-old-tlsv-options.patch rename SOURCES/vsftpd-generator => vsftpd-generator (100%) mode change 100755 => 100644 rename SOURCES/vsftpd.ftpusers => vsftpd.ftpusers (100%) rename SOURCES/vsftpd.pam => vsftpd.pam (100%) rename SOURCES/vsftpd.service => vsftpd.service (100%) rename SPECS/vsftpd.spec => vsftpd.spec (85%) rename SOURCES/vsftpd.target => vsftpd.target (100%) rename SOURCES/vsftpd.user_list => vsftpd.user_list (100%) rename SOURCES/vsftpd.xinetd => vsftpd.xinetd (100%) rename SOURCES/vsftpd@.service => vsftpd@.service (100%) rename SOURCES/vsftpd_conf_migrate.sh => vsftpd_conf_migrate.sh (100%) mode change 100755 => 100644 diff --git a/.gitignore b/.gitignore index 80044ba..f8acc6c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/vsftpd-3.0.3.tar.gz +vsftpd-3.0.5.tar.gz diff --git a/.vsftpd.metadata b/.vsftpd.metadata deleted file mode 100644 index 8ae172c..0000000 --- a/.vsftpd.metadata +++ /dev/null @@ -1 +0,0 @@ -d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz diff --git a/SOURCES/0001-Don-t-use-the-provided-script-to-locate-libraries.patch b/0001-Don-t-use-the-provided-script-to-locate-libraries.patch similarity index 100% rename from SOURCES/0001-Don-t-use-the-provided-script-to-locate-libraries.patch rename to 0001-Don-t-use-the-provided-script-to-locate-libraries.patch diff --git a/SOURCES/0001-Fix-timestamp-handling-in-MDTM.patch b/0001-Fix-timestamp-handling-in-MDTM.patch similarity index 99% rename from SOURCES/0001-Fix-timestamp-handling-in-MDTM.patch rename to 0001-Fix-timestamp-handling-in-MDTM.patch index 387d81e..3975bf3 100644 --- a/SOURCES/0001-Fix-timestamp-handling-in-MDTM.patch +++ b/0001-Fix-timestamp-handling-in-MDTM.patch @@ -1,7 +1,7 @@ From 6a4dc470e569df38b8a7ea09ee6aace3c73b7353 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Wed, 28 Mar 2018 09:06:34 +0200 -Subject: [PATCH] Fix timestamp handling in MDTM +Subject: [PATCH 1/2] Fix timestamp handling in MDTM There were two problems with the timestamp handling with MDTM: diff --git a/SOURCES/0001-Move-closing-standard-FDs-after-listen.patch b/0001-Move-closing-standard-FDs-after-listen.patch similarity index 100% rename from SOURCES/0001-Move-closing-standard-FDs-after-listen.patch rename to 0001-Move-closing-standard-FDs-after-listen.patch diff --git a/SOURCES/0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch b/0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch similarity index 100% rename from SOURCES/0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch rename to 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch diff --git a/SOURCES/0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch b/0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch similarity index 97% rename from SOURCES/0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch rename to 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch index 0e3bcd4..63d555e 100644 --- a/SOURCES/0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch +++ b/0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch @@ -1,8 +1,7 @@ From 7957425ef5ab365fc96ea0615f99705581c6dbd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Mon, 12 Aug 2019 18:15:36 +0200 -Subject: [PATCH 3/3] Repeat pututxline() until it succeeds if it fails with - EINTR +Subject: [PATCH] Repeat pututxline() until it succeeds if it fails with EINTR Since the pututxline() bug rhbz#1749439 is now fixed in glibc in Fedora and RHEL-8, we can implement a complete solution for the stale diff --git a/SOURCES/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch b/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch similarity index 96% rename from SOURCES/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch rename to 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch index a2be65a..00bf82c 100644 --- a/SOURCES/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch +++ b/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch @@ -1,7 +1,7 @@ From 96698a525784ad91cb27b572dd5f871c183fdfa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Sun, 28 Jul 2019 12:25:35 +0200 -Subject: [PATCH 1/3] Set s_uwtmp_inserted only after record insertion/removal +Subject: [PATCH 1/2] Set s_uwtmp_inserted only after record insertion/removal pututxline() is the function that actually inserts the new record, so setting 's_uwtmp_inserted' before calling pututxline() doesn't make diff --git a/0002-Drop-an-unused-global-variable.patch b/0002-Drop-an-unused-global-variable.patch new file mode 100644 index 0000000..53af589 --- /dev/null +++ b/0002-Drop-an-unused-global-variable.patch @@ -0,0 +1,56 @@ +From d0045e35674d64d166d17c3c079ae03e8c2e6361 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= +Date: Thu, 13 Feb 2020 17:29:06 +0100 +Subject: [PATCH 2/2] Drop an unused global variable + +The global variable `s_timezone` is not used anymore, so we can drop +it. +--- + sysutil.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/sysutil.c b/sysutil.c +index 66d4c5e..0ccf551 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -72,8 +72,6 @@ static struct timeval s_current_time; + static int s_current_pid = -1; + /* Exit function */ + static exitfunc_t s_exit_func; +-/* Difference in timezone from GMT in seconds */ +-static long s_timezone; + + /* Our internal signal handling implementation details */ + static struct vsf_sysutil_sig_details +@@ -2661,7 +2659,6 @@ char* vsf_sysutil_get_tz() + void + vsf_sysutil_tzset(void) + { +- int retval; + char *tz=NULL, tzbuf[sizeof("+HHMM!")]; + time_t the_time = time(NULL); + struct tm* p_tm; +@@ -2681,17 +2678,9 @@ vsf_sysutil_tzset(void) + { + die("localtime"); + } +- retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm); +- tzbuf[sizeof(tzbuf) - 1] = '\0'; +- if (retval == 5) +- { +- s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60; +- s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60; +- if (tzbuf[0] == '+') +- { +- s_timezone *= -1; +- } +- } ++ /* Not sure if the following call to strftime() has any desired side ++ effects, so I'm keeping it to be safe. */ ++ (void) strftime(tzbuf, sizeof(tzbuf), "%z", p_tm); + /* Call in to the time subsystem again now that TZ is set, trying to force + * caching of the actual zoneinfo for the timezone. + */ +-- +2.24.1 + diff --git a/SOURCES/0002-Enable-build-with-SSL.patch b/0002-Enable-build-with-SSL.patch similarity index 100% rename from SOURCES/0002-Enable-build-with-SSL.patch rename to 0002-Enable-build-with-SSL.patch diff --git a/SOURCES/0002-Prevent-recursion-in-bug.patch b/0002-Prevent-recursion-in-bug.patch similarity index 100% rename from SOURCES/0002-Prevent-recursion-in-bug.patch rename to 0002-Prevent-recursion-in-bug.patch diff --git a/SOURCES/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch b/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch similarity index 97% rename from SOURCES/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch rename to 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch index fcbc728..e89efcf 100644 --- a/SOURCES/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch +++ b/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch @@ -1,7 +1,7 @@ From 896b3694ca062d747cd67e9e9ba246adb3fc706b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Mon, 5 Aug 2019 13:55:37 +0200 -Subject: [PATCH 2/3] Repeat pututxline() if it fails with EINTR +Subject: [PATCH 2/2] Repeat pututxline() if it fails with EINTR This is a partial fix for rhbz#1688848. We cannot resolve it completely until glibc bug rhbz#1734791 is fixed. See diff --git a/SOURCES/0003-Enable-build-with-TCP-Wrapper.patch b/0003-Enable-build-with-TCP-Wrapper.patch similarity index 100% rename from SOURCES/0003-Enable-build-with-TCP-Wrapper.patch rename to 0003-Enable-build-with-TCP-Wrapper.patch diff --git a/SOURCES/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch b/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch similarity index 100% rename from SOURCES/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch rename to 0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch diff --git a/SOURCES/0005-Use-hostname-when-calling-PAM-authentication-module.patch b/0005-Use-hostname-when-calling-PAM-authentication-module.patch similarity index 100% rename from SOURCES/0005-Use-hostname-when-calling-PAM-authentication-module.patch rename to 0005-Use-hostname-when-calling-PAM-authentication-module.patch diff --git a/SOURCES/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch b/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch similarity index 100% rename from SOURCES/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch rename to 0006-Close-stdin-out-err-before-listening-for-incoming-co.patch diff --git a/SOURCES/0007-Make-filename-filters-smarter.patch b/0007-Make-filename-filters-smarter.patch similarity index 100% rename from SOURCES/0007-Make-filename-filters-smarter.patch rename to 0007-Make-filename-filters-smarter.patch diff --git a/SOURCES/0008-Write-denied-logins-into-the-log.patch b/0008-Write-denied-logins-into-the-log.patch similarity index 100% rename from SOURCES/0008-Write-denied-logins-into-the-log.patch rename to 0008-Write-denied-logins-into-the-log.patch diff --git a/SOURCES/0009-Trim-whitespaces-when-reading-configuration.patch b/0009-Trim-whitespaces-when-reading-configuration.patch similarity index 100% rename from SOURCES/0009-Trim-whitespaces-when-reading-configuration.patch rename to 0009-Trim-whitespaces-when-reading-configuration.patch diff --git a/SOURCES/0010-Improve-daemonizing.patch b/0010-Improve-daemonizing.patch similarity index 100% rename from SOURCES/0010-Improve-daemonizing.patch rename to 0010-Improve-daemonizing.patch diff --git a/SOURCES/0011-Fix-listing-with-more-than-one-star.patch b/0011-Fix-listing-with-more-than-one-star.patch similarity index 100% rename from SOURCES/0011-Fix-listing-with-more-than-one-star.patch rename to 0011-Fix-listing-with-more-than-one-star.patch diff --git a/SOURCES/0012-Replace-syscall-__NR_clone-.-with-clone.patch b/0012-Replace-syscall-__NR_clone-.-with-clone.patch similarity index 100% rename from SOURCES/0012-Replace-syscall-__NR_clone-.-with-clone.patch rename to 0012-Replace-syscall-__NR_clone-.-with-clone.patch diff --git a/SOURCES/0013-Extend-man-pages-with-systemd-info.patch b/0013-Extend-man-pages-with-systemd-info.patch similarity index 100% rename from SOURCES/0013-Extend-man-pages-with-systemd-info.patch rename to 0013-Extend-man-pages-with-systemd-info.patch diff --git a/SOURCES/0014-Add-support-for-square-brackets-in-ls.patch b/0014-Add-support-for-square-brackets-in-ls.patch similarity index 100% rename from SOURCES/0014-Add-support-for-square-brackets-in-ls.patch rename to 0014-Add-support-for-square-brackets-in-ls.patch diff --git a/SOURCES/0015-Listen-on-IPv6-by-default.patch b/0015-Listen-on-IPv6-by-default.patch similarity index 100% rename from SOURCES/0015-Listen-on-IPv6-by-default.patch rename to 0015-Listen-on-IPv6-by-default.patch diff --git a/SOURCES/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch b/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch similarity index 100% rename from SOURCES/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch rename to 0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch diff --git a/SOURCES/0017-Fix-an-issue-with-timestamps-during-DST.patch b/0017-Fix-an-issue-with-timestamps-during-DST.patch similarity index 100% rename from SOURCES/0017-Fix-an-issue-with-timestamps-during-DST.patch rename to 0017-Fix-an-issue-with-timestamps-during-DST.patch diff --git a/SOURCES/0018-Change-the-default-log-file-in-configuration.patch b/0018-Change-the-default-log-file-in-configuration.patch similarity index 100% rename from SOURCES/0018-Change-the-default-log-file-in-configuration.patch rename to 0018-Change-the-default-log-file-in-configuration.patch diff --git a/SOURCES/0019-Introduce-reverse_lookup_enable-option.patch b/0019-Introduce-reverse_lookup_enable-option.patch similarity index 100% rename from SOURCES/0019-Introduce-reverse_lookup_enable-option.patch rename to 0019-Introduce-reverse_lookup_enable-option.patch diff --git a/SOURCES/0020-Use-unsigned-int-for-uid-and-gid-representation.patch b/0020-Use-unsigned-int-for-uid-and-gid-representation.patch similarity index 100% rename from SOURCES/0020-Use-unsigned-int-for-uid-and-gid-representation.patch rename to 0020-Use-unsigned-int-for-uid-and-gid-representation.patch diff --git a/0021-Follow-crypto-policies-for-ssl-ciphers.patch b/0021-Follow-crypto-policies-for-ssl-ciphers.patch new file mode 100644 index 0000000..22b989d --- /dev/null +++ b/0021-Follow-crypto-policies-for-ssl-ciphers.patch @@ -0,0 +1,39 @@ +diff --git a/tunables.c b/tunables.c +--- a/tunables.c ++++ b/tunables.c +@@ -295,7 +295,7 @@ + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); +- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); ++ install_str_setting(0, &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -1030,14 +1030,16 @@ + Default: /usr/share/empty + .TP + .B ssl_ciphers +-This option can be used to select which SSL ciphers vsftpd will allow for +-encrypted SSL connections. See the +-.BR ciphers ++This option can be used to select which TLS ciphers vsftpd will allow for ++encrypted TLS connections. See the ++.BR openssl-ciphers +-man page for further details. Note that restricting ciphers can be a useful +-security precaution as it prevents malicious remote parties forcing a cipher +-which they have found problems with. ++man page for further details. ++ ++By default, the system-wide crypto policy is used. See ++.BR update-crypto-policies(8) ++for further details. + +-Default: DES-CBC3-SHA ++Default: (none - system-wide crypto policy is followed) + .TP + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the diff --git a/0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch b/0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch new file mode 100644 index 0000000..1f0f1c1 --- /dev/null +++ b/0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch @@ -0,0 +1,135 @@ +diff --git a/parseconf.c b/parseconf.c +--- a/parseconf.c ++++ b/parseconf.c +@@ -180,6 +180,9 @@ parseconf_str_array[] = + { "email_password_file", &tunable_email_password_file }, + { "rsa_cert_file", &tunable_rsa_cert_file }, + { "dsa_cert_file", &tunable_dsa_cert_file }, ++ { "dh_param_file", &tunable_dh_param_file }, ++ { "ecdh_param_file", &tunable_ecdh_param_file }, ++ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, + { "ssl_ciphers", &tunable_ssl_ciphers }, + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, +diff --git a/ssl.c b/ssl.c +--- a/ssl.c ++++ b/ssl.c +@@ -130,6 +130,30 @@ ssl_init(struct vsf_session* p_sess) + die("SSL: cannot load DSA private key"); + } + } ++ if (tunable_dh_param_file) ++ { ++ BIO *bio; ++ EVP_PKEY *dh_params = NULL; ++ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) ++ { ++ die("SSL: cannot load custom DH params"); ++ } ++ dh_params = PEM_read_bio_Parameters(bio, NULL); ++ BIO_free(bio); ++ if (dh_params == NULL || !SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params)) ++ { ++ die("SSL: setting custom DH params failed"); ++ } ++ } ++ else ++ { ++ SSL_CTX_set_dh_auto(p_ctx, 1); ++ } ++ if (tunable_ssl_ciphersuites && ++ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) ++ { ++ die("SSL: could not set ciphersuites"); ++ } + if (tunable_ssl_ciphers && + SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) + { +@@ -139,15 +163,6 @@ ssl_init(struct vsf_session* p_sess) + { + die("SSL: RNG is not seeded"); + } +- { +- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); +- if (key == NULL) +- { +- die("SSL: failed to get curve p256"); +- } +- SSL_CTX_set_tmp_ecdh(p_ctx, key); +- EC_KEY_free(key); +- } + if (tunable_ssl_request_cert) + { + verify_option |= SSL_VERIFY_PEER; +diff --git a/tunables.c b/tunables.c +--- a/tunables.c ++++ b/tunables.c +@@ -143,6 +143,9 @@ const char* tunable_user_sub_token; + const char* tunable_email_password_file; + const char* tunable_rsa_cert_file; + const char* tunable_dsa_cert_file; ++const char* tunable_dh_param_file; ++const char* tunable_ecdh_param_file; ++const char* tunable_ssl_ciphersuites; + const char* tunable_ssl_ciphers; + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; +@@ -295,6 +298,9 @@ tunables_load_defaults() + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); ++ install_str_setting(0, &tunable_dh_param_file); ++ install_str_setting(0, &tunable_ecdh_param_file); ++ install_str_setting(0, &tunable_ssl_ciphersuites); + install_str_setting(0, &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); +diff --git a/tunables.h b/tunables.h +--- a/tunables.h ++++ b/tunables.h +@@ -145,6 +145,9 @@ extern const char* tunable_user_sub_token; + extern const char* tunable_email_password_file; + extern const char* tunable_rsa_cert_file; + extern const char* tunable_dsa_cert_file; ++extern const char* tunable_dh_param_file; ++extern const char* tunable_ecdh_param_file; ++extern const char* tunable_ssl_ciphersuites; + extern const char* tunable_ssl_ciphers; + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -1029,6 +1029,32 @@ + + Default: /usr/share/empty + .TP ++.B dh_param_file ++This option specifies the location of custom parameters used for ++ephemeral Diffie-Hellman key exchange in TLS. ++ ++Default: (none - use built-in parameters appropriate for certificate key size) ++.TP ++.B ecdh_param_file ++This option specifies the location of custom curve parameters for ephemeral ++Elliptic Curve Diffie-Hellman (ECDH) key exchange in TLS. ++ ++This option is deprecated and has no effect. ++ ++Default: (none - enable all supported curve groups) ++.TP ++.B ssl_ciphersuites ++This option can be used to select which TLS ciphersuites vsftpd will allow for ++encrypted TLS connections with TLSv1.3. See the ++.BR openssl-ciphers ++man page for further details. ++ ++By default, the system-wide crypto policy is used. See ++.BR update-crypto-policies(8) ++for further details. ++ ++Default: (none - system-wide crypto policy is followed) ++.TP + .B ssl_ciphers + This option can be used to select which TLS ciphers vsftpd will allow for + encrypted TLS connections. See the diff --git a/SOURCES/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch b/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch similarity index 100% rename from SOURCES/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch rename to 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch diff --git a/SOURCES/0024-Introduce-new-return-value-450.patch b/0024-Introduce-new-return-value-450.patch similarity index 100% rename from SOURCES/0024-Introduce-new-return-value-450.patch rename to 0024-Introduce-new-return-value-450.patch diff --git a/SOURCES/0025-Improve-local_max_rate-option.patch b/0025-Improve-local_max_rate-option.patch similarity index 97% rename from SOURCES/0025-Improve-local_max_rate-option.patch rename to 0025-Improve-local_max_rate-option.patch index e78f825..2c74c7a 100644 --- a/SOURCES/0025-Improve-local_max_rate-option.patch +++ b/0025-Improve-local_max_rate-option.patch @@ -60,9 +60,9 @@ diff --git a/main.c b/main.c index eaba265..f1e2f69 100644 --- a/main.c +++ b/main.c -@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) +@@ -40,7 +40,7 @@ /* Control connection */ - 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, /* Data connection */ - -1, 0, -1, 0, 0, 0, 0, + -1, 0, -1, 0, 0, 0, 0, 0, diff --git a/SOURCES/0026-Prevent-hanging-in-SIGCHLD-handler.patch b/0026-Prevent-hanging-in-SIGCHLD-handler.patch similarity index 100% rename from SOURCES/0026-Prevent-hanging-in-SIGCHLD-handler.patch rename to 0026-Prevent-hanging-in-SIGCHLD-handler.patch diff --git a/SOURCES/0027-Delete-files-when-upload-fails.patch b/0027-Delete-files-when-upload-fails.patch similarity index 100% rename from SOURCES/0027-Delete-files-when-upload-fails.patch rename to 0027-Delete-files-when-upload-fails.patch diff --git a/SOURCES/0028-Fix-man-page-rendering.patch b/0028-Fix-man-page-rendering.patch similarity index 100% rename from SOURCES/0028-Fix-man-page-rendering.patch rename to 0028-Fix-man-page-rendering.patch diff --git a/SOURCES/0029-Fix-segfault-in-config-file-parser.patch b/0029-Fix-segfault-in-config-file-parser.patch similarity index 100% rename from SOURCES/0029-Fix-segfault-in-config-file-parser.patch rename to 0029-Fix-segfault-in-config-file-parser.patch diff --git a/SOURCES/0030-Fix-logging-into-syslog-when-enabled-in-config.patch b/0030-Fix-logging-into-syslog-when-enabled-in-config.patch similarity index 100% rename from SOURCES/0030-Fix-logging-into-syslog-when-enabled-in-config.patch rename to 0030-Fix-logging-into-syslog-when-enabled-in-config.patch diff --git a/SOURCES/0031-Fix-question-mark-wildcard-withing-a-file-name.patch b/0031-Fix-question-mark-wildcard-withing-a-file-name.patch similarity index 100% rename from SOURCES/0031-Fix-question-mark-wildcard-withing-a-file-name.patch rename to 0031-Fix-question-mark-wildcard-withing-a-file-name.patch diff --git a/SOURCES/0032-Propagate-errors-from-nfs-with-quota-to-client.patch b/0032-Propagate-errors-from-nfs-with-quota-to-client.patch similarity index 100% rename from SOURCES/0032-Propagate-errors-from-nfs-with-quota-to-client.patch rename to 0032-Propagate-errors-from-nfs-with-quota-to-client.patch diff --git a/SOURCES/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch b/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch similarity index 100% rename from SOURCES/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch rename to 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch diff --git a/SOURCES/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch b/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch similarity index 100% rename from SOURCES/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch rename to 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch diff --git a/SOURCES/0037-Document-the-relationship-of-text_userdb_names-and-c.patch b/0037-Document-the-relationship-of-text_userdb_names-and-c.patch similarity index 100% rename from SOURCES/0037-Document-the-relationship-of-text_userdb_names-and-c.patch rename to 0037-Document-the-relationship-of-text_userdb_names-and-c.patch diff --git a/SOURCES/0038-Document-allow_writeable_chroot-in-the-man-page.patch b/0038-Document-allow_writeable_chroot-in-the-man-page.patch similarity index 100% rename from SOURCES/0038-Document-allow_writeable_chroot-in-the-man-page.patch rename to 0038-Document-allow_writeable_chroot-in-the-man-page.patch diff --git a/SOURCES/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch b/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch similarity index 100% rename from SOURCES/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch rename to 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch diff --git a/SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch similarity index 91% rename from SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch rename to 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch index 250a44c..1e14813 100644 --- a/SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +++ b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch @@ -23,7 +23,7 @@ index 1212980..d024366 100644 vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); } - if (tunable_tlsv1) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) ++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) { vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); } diff --git a/SOURCES/0044-Disable-anonymous_enable-in-default-config-file.patch b/0044-Disable-anonymous_enable-in-default-config-file.patch similarity index 100% rename from SOURCES/0044-Disable-anonymous_enable-in-default-config-file.patch rename to 0044-Disable-anonymous_enable-in-default-config-file.patch diff --git a/SOURCES/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch b/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch similarity index 100% rename from SOURCES/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch rename to 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch diff --git a/SOURCES/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch b/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch similarity index 100% rename from SOURCES/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch rename to 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch diff --git a/SOURCES/0047-Disable-tcp_wrappers-support.patch b/0047-Disable-tcp_wrappers-support.patch similarity index 100% rename from SOURCES/0047-Disable-tcp_wrappers-support.patch rename to 0047-Disable-tcp_wrappers-support.patch diff --git a/SOURCES/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch b/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch similarity index 100% rename from SOURCES/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch rename to 0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch diff --git a/SOURCES/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch b/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch similarity index 100% rename from SOURCES/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch rename to 0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch diff --git a/SOURCES/0050-Don-t-link-with-libnsl.patch b/0050-Don-t-link-with-libnsl.patch similarity index 100% rename from SOURCES/0050-Don-t-link-with-libnsl.patch rename to 0050-Don-t-link-with-libnsl.patch diff --git a/SOURCES/0051-Improve-documentation-of-better_stou-in-the-man-page.patch b/0051-Improve-documentation-of-better_stou-in-the-man-page.patch similarity index 100% rename from SOURCES/0051-Improve-documentation-of-better_stou-in-the-man-page.patch rename to 0051-Improve-documentation-of-better_stou-in-the-man-page.patch diff --git a/SOURCES/0052-Fix-rDNS-with-IPv6.patch b/0052-Fix-rDNS-with-IPv6.patch similarity index 100% rename from SOURCES/0052-Fix-rDNS-with-IPv6.patch rename to 0052-Fix-rDNS-with-IPv6.patch diff --git a/SOURCES/0053-Always-do-chdir-after-chroot.patch b/0053-Always-do-chdir-after-chroot.patch similarity index 100% rename from SOURCES/0053-Always-do-chdir-after-chroot.patch rename to 0053-Always-do-chdir-after-chroot.patch diff --git a/SOURCES/0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch b/0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch similarity index 100% rename from SOURCES/0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch rename to 0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch diff --git a/SOURCES/0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch b/0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch similarity index 100% rename from SOURCES/0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch rename to 0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch diff --git a/SOURCES/0056-Log-die-calls-to-syslog.patch b/0056-Log-die-calls-to-syslog.patch similarity index 100% rename from SOURCES/0056-Log-die-calls-to-syslog.patch rename to 0056-Log-die-calls-to-syslog.patch diff --git a/SOURCES/0057-Improve-error-message-when-max-number-of-bind-attemp.patch b/0057-Improve-error-message-when-max-number-of-bind-attemp.patch similarity index 100% rename from SOURCES/0057-Improve-error-message-when-max-number-of-bind-attemp.patch rename to 0057-Improve-error-message-when-max-number-of-bind-attemp.patch diff --git a/SOURCES/0058-Make-the-max-number-of-bind-retries-tunable.patch b/0058-Make-the-max-number-of-bind-retries-tunable.patch similarity index 100% rename from SOURCES/0058-Make-the-max-number-of-bind-retries-tunable.patch rename to 0058-Make-the-max-number-of-bind-retries-tunable.patch diff --git a/SOURCES/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch b/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch similarity index 100% rename from SOURCES/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch rename to 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch diff --git a/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch deleted file mode 100644 index 1abe1e4..0000000 --- a/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 10:48:28 +0100 -Subject: [PATCH 21/59] Introduce support for DHE based cipher suites. - ---- - parseconf.c | 1 + - ssl.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - tunables.c | 5 +++- - tunables.h | 1 + - vsftpd.conf.5 | 6 ++++ - 5 files changed, 104 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 3e0dba4..38e3182 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -176,6 +176,7 @@ parseconf_str_array[] = - { "email_password_file", &tunable_email_password_file }, - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, -+ { "dh_param_file", &tunable_dh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index c362983..22b69b3 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -28,6 +28,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - -@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); - static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); -+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); -@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, - static int ssl_inited; - static struct mystr debug_str; - -+ -+// Grab prime number from OpenSSL; -+// (get_rfc*) for all available primes. -+// wraps selection of comparable algorithm strength -+#if !defined(match_dh_bits) -+ #define match_dh_bits(keylen) \ -+ keylen >= 8191 ? 8192 : \ -+ keylen >= 6143 ? 6144 : \ -+ keylen >= 4095 ? 4096 : \ -+ keylen >= 3071 ? 3072 : \ -+ keylen >= 2047 ? 2048 : \ -+ keylen >= 1535 ? 1536 : \ -+ keylen >= 1023 ? 1024 : 768 -+#endif -+ -+#if !defined(DH_get_prime) -+ BIGNUM * -+ DH_get_prime(int bits) -+ { -+ switch (bits) { -+ case 768: return get_rfc2409_prime_768(NULL); -+ case 1024: return get_rfc2409_prime_1024(NULL); -+ case 1536: return get_rfc3526_prime_1536(NULL); -+ case 2048: return get_rfc3526_prime_2048(NULL); -+ case 3072: return get_rfc3526_prime_3072(NULL); -+ case 4096: return get_rfc3526_prime_4096(NULL); -+ case 6144: return get_rfc3526_prime_6144(NULL); -+ case 8192: return get_rfc3526_prime_8192(NULL); -+ // shouldn't happen when used match_dh_bits; strict compiler -+ default: return NULL; -+ } -+} -+#endif -+ -+#if !defined(DH_get_dh) -+ // Grab DH parameters -+ DH * -+ DH_get_dh(int size) -+ { -+ DH *dh = DH_new(); -+ if (!dh) { -+ return NULL; -+ } -+ dh->p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&dh->g, "2"); -+ if (!dh->p || !dh->g) -+ { -+ DH_free(dh); -+ return NULL; -+ } -+ return dh; -+ } -+#endif -+ - void - ssl_init(struct vsf_session* p_sess) - { -@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) - die("SSL: cannot load DSA private key"); - } - } -+ if (tunable_dh_param_file) -+ { -+ BIO *bio; -+ DH *dhparams = NULL; -+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) -+ { -+ die("SSL: cannot load custom DH params"); -+ } -+ else -+ { -+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ -+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) -+ { -+ die("SSL: setting custom DH params failed"); -+ } -+ } -+ } - if (tunable_ssl_ciphers && - SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) - { -@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) - /* Ensure cached session doesn't expire */ - SSL_CTX_set_timeout(p_ctx, INT_MAX); - } -+ -+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); -+ - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } -@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) - return 1; - } - -+#define UNUSED(x) ( (void)(x) ) -+ -+static DH * -+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) -+{ -+ // strict compiler bypassing -+ UNUSED(ssl); -+ UNUSED(is_export); -+ -+ return DH_get_dh(keylength); -+} -+ - void - ssl_add_entropy(struct vsf_session* p_sess) - { -diff --git a/tunables.c b/tunables.c -index c737465..1ea7227 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -140,6 +140,7 @@ const char* tunable_user_sub_token; - const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; -+const char* tunable_dh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -288,7 +289,9 @@ tunables_load_defaults() - install_str_setting("/usr/share/ssl/certs/vsftpd.pem", - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); -- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); -+ install_str_setting(0, &tunable_dh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 9553038..3995472 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_token; - extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; -+extern const char* tunable_dh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index fb6324e..ff94eca 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -893,6 +893,12 @@ to be in the same file as the certificate. - - Default: (none) - .TP -+.B dh_param_file -+This option specifies the location of the custom parameters used for -+ephemeral Diffie-Hellman key exchange in SSL. -+ -+Default: (none - use built in parameters appropriate for certificate key size) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.14.4 - diff --git a/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch deleted file mode 100644 index 1428b86..0000000 --- a/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +++ /dev/null @@ -1,136 +0,0 @@ -From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 10:49:22 +0100 -Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites. - ---- - parseconf.c | 1 + - ssl.c | 37 ++++++++++++++++++++++++++++++++++++- - tunables.c | 4 +++- - tunables.h | 1 + - vsftpd.conf.5 | 8 ++++++++ - 5 files changed, 49 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 38e3182..a2c715b 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -177,6 +177,7 @@ parseconf_str_array[] = - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, - { "dh_param_file", &tunable_dh_param_file }, -+ { "ecdh_param_file", &tunable_ecdh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index 22b69b3..96bf8ad 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) - - SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); - -+ if (tunable_ecdh_param_file) -+ { -+ BIO *bio; -+ int nid; -+ EC_GROUP *ecparams = NULL; -+ EC_KEY *eckey; -+ -+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) -+ die("SSL: cannot load custom ec params"); -+ else -+ { -+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ -+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) && -+ (eckey = EC_KEY_new_by_curve_name(nid))) -+ { -+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey)) -+ die("SSL: setting custom EC params failed"); -+ } -+ else -+ { -+ die("SSL: getting ec group or key failed"); -+ } -+ } -+ } -+ else -+ { -+#if defined(SSL_CTX_set_ecdh_auto) -+ SSL_CTX_set_ecdh_auto(p_ctx, 1); -+#else -+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); -+#endif -+ } -+ - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } -diff --git a/tunables.c b/tunables.c -index 1ea7227..93f85b1 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -141,6 +141,7 @@ const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; - const char* tunable_dh_param_file; -+const char* tunable_ecdh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -290,7 +291,8 @@ tunables_load_defaults() - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ install_str_setting(0, &tunable_ecdh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", - &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); -diff --git a/tunables.h b/tunables.h -index 3995472..3e2d40c 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; - extern const char* tunable_dh_param_file; -+extern const char* tunable_ecdh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index ff94eca..e242873 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL. - - Default: (none - use built in parameters appropriate for certificate key size) - .TP -+.B ecdh_param_file -+This option specifies the location of custom parameters for ephemeral -+Elliptic Curve Diffie-Hellman (ECDH) key exchange. -+ -+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and -+automatically selected curve based on client preferences with OpenSSL 1.0.2 -+and later) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.14.4 - diff --git a/SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch deleted file mode 100644 index 8d6228e..0000000 --- a/SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 13:36:17 +0100 -Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options. - -Users can now enable a specific version of TLS protocol. ---- - parseconf.c | 2 ++ - ssl.c | 8 ++++++++ - tunables.c | 9 +++++++-- - tunables.h | 2 ++ - vsftpd.conf.5 | 24 ++++++++++++++++++++---- - 5 files changed, 39 insertions(+), 6 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index a2c715b..33a1349 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -85,6 +85,8 @@ parseconf_bool_array[] = - { "ssl_sslv2", &tunable_sslv2 }, - { "ssl_sslv3", &tunable_sslv3 }, - { "ssl_tlsv1", &tunable_tlsv1 }, -+ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, -+ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index 96bf8ad..ba8a613 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1; - } -+ if (!tunable_tlsv1_1) -+ { -+ options |= SSL_OP_NO_TLSv1_1; -+ } -+ if (!tunable_tlsv1_2) -+ { -+ options |= SSL_OP_NO_TLSv1_2; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index 93f85b1..78f2bcd 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; - int tunable_sslv2; - int tunable_sslv3; - int tunable_tlsv1; -+int tunable_tlsv1_1; -+int tunable_tlsv1_2; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -209,7 +211,10 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -+ /* TLSv1 up to TLSv1.2 is enabled by default */ - tunable_tlsv1 = 1; -+ tunable_tlsv1_1 = 1; -+ tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -@@ -292,8 +297,8 @@ tunables_load_defaults() - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", -- &tunable_ssl_ciphers); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 3e2d40c..a466427 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ - extern int tunable_sslv2; /* Allow SSLv2 */ - extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ -+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ -+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index cf1ae34..a3d569e 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -506,7 +506,7 @@ Default: YES - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v2 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -514,7 +514,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v3 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -522,7 +522,23 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_1 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.1 protocol connections. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_2 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.2 protocol connections. -+TLS v1.2 connections are preferred. - - Default: YES - .TP -@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful - security precaution as it prevents malicious remote parties forcing a cipher - which they have found problems with. - --Default: DES-CBC3-SHA -+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 - .TP - .B user_config_dir - This powerful option allows the override of any config option specified in --- -2.14.4 - diff --git a/SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch b/SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch deleted file mode 100644 index 1cebc18..0000000 --- a/SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Mon, 4 Sep 2017 11:32:03 +0200 -Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1 - ---- - ssl.c | 41 ++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/ssl.c b/ssl.c -index ba8a613..09ec96a 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -88,19 +88,54 @@ static struct mystr debug_str; - } - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+#endif -+ - #if !defined(DH_get_dh) - // Grab DH parameters - DH * - DH_get_dh(int size) - { -+ BIGNUM *g = NULL; -+ BIGNUM *p = NULL; - DH *dh = DH_new(); - if (!dh) { - return NULL; - } -- dh->p = DH_get_prime(match_dh_bits(size)); -- BN_dec2bn(&dh->g, "2"); -- if (!dh->p || !dh->g) -+ p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&g, "2"); -+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) - { -+ BN_free(g); -+ BN_free(p); - DH_free(dh); - return NULL; - } --- -2.14.4 - diff --git a/SOURCES/0040-Use-system-wide-crypto-policy.patch b/SOURCES/0040-Use-system-wide-crypto-policy.patch deleted file mode 100644 index f59ba2b..0000000 --- a/SOURCES/0040-Use-system-wide-crypto-policy.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b83be8b4f86bf1a8a6de4802a9486d084c4a46cd Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Tue, 29 Aug 2017 10:32:16 +0200 -Subject: [PATCH 40/59] Use system wide crypto policy - -Resolves: rhbz#1483970 ---- - tunables.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tunables.c b/tunables.c -index 5440c00..354251c 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -297,8 +297,7 @@ tunables_load_defaults() - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -- &tunable_ssl_ciphers); -+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); --- -2.14.4 - diff --git a/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch deleted file mode 100644 index 8b26c7b..0000000 --- a/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2369d1ea5144d525d315aba90da528e7d9bfd1cc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Thu, 21 Dec 2017 14:19:18 +0100 -Subject: [PATCH 41/59] Document the new default for ssl_ciphers in the man - page - -Related: rhbz#1483970 ---- - vsftpd.conf.5 | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 3ca55e4..2a7662e 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1078,7 +1078,11 @@ man page for further details. Note that restricting ciphers can be a useful - security precaution as it prevents malicious remote parties forcing a cipher - which they have found problems with. - --Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 -+By default, the system-wide crypto policy is used. See -+.BR update-crypto-policies(8) -+for further details. -+ -+Default: PROFILE=SYSTEM - .TP - .B user_config_dir - This powerful option allows the override of any config option specified in --- -2.14.4 - diff --git a/SOURCES/0043-Enable-only-TLSv1.2-by-default.patch b/SOURCES/0043-Enable-only-TLSv1.2-by-default.patch deleted file mode 100644 index eb157f8..0000000 --- a/SOURCES/0043-Enable-only-TLSv1.2-by-default.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Thu, 21 Dec 2017 16:38:40 +0100 -Subject: [PATCH 43/59] Enable only TLSv1.2 by default - -Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default. ---- - tunables.c | 6 +++--- - vsftpd.conf.5 | 4 ++-- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tunables.c b/tunables.c -index 354251c..9680528 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -211,9 +211,9 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -- /* TLSv1 up to TLSv1.2 is enabled by default */ -- tunable_tlsv1 = 1; -- tunable_tlsv1_1 = 1; -+ tunable_tlsv1 = 0; -+ tunable_tlsv1_1 = 0; -+ /* Only TLSv1.2 is enabled by default */ - tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 2a7662e..df14027 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -539,7 +539,7 @@ Only applies if - is activated. If enabled, this option will permit TLS v1 protocol connections. - TLS v1.2 connections are preferred. - --Default: YES -+Default: NO - .TP - .B ssl_tlsv1_1 - Only applies if -@@ -547,7 +547,7 @@ Only applies if - is activated. If enabled, this option will permit TLS v1.1 protocol connections. - TLS v1.2 connections are preferred. - --Default: YES -+Default: NO - .TP - .B ssl_tlsv1_2 - Only applies if --- -2.14.4 - diff --git a/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch b/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch deleted file mode 100644 index 6bcef1b..0000000 --- a/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff -urN a/parseconf.c b/parseconf.c ---- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200 -+++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100 -@@ -185,6 +185,7 @@ - { "dsa_cert_file", &tunable_dsa_cert_file }, - { "dh_param_file", &tunable_dh_param_file }, - { "ecdh_param_file", &tunable_ecdh_param_file }, -+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff -urN a/ssl.c b/ssl.c ---- a/ssl.c 2021-08-02 08:24:35.000000000 +0200 -+++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100 -@@ -135,6 +135,11 @@ - { - die("SSL: could not set cipher list"); - } -+ if (tunable_ssl_ciphersuites && -+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) -+ { -+ die("SSL: could not set ciphersuites list"); -+ } - if (RAND_status() != 1) - { - die("SSL: RNG is not seeded"); -diff -urN a/tunables.c b/tunables.c ---- a/tunables.c 2021-05-29 23:39:00.000000000 +0200 -+++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100 -@@ -154,6 +154,7 @@ - const char* tunable_dsa_cert_file; - const char* tunable_dh_param_file; - const char* tunable_ecdh_param_file; - const char* tunable_ssl_ciphers; -+const char* tunable_ssl_ciphersuites; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -293,6 +293,7 @@ - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); - install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); -+ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff -urN a/tunables.h b/tunables.h ---- a/tunables.h -+++ b/tunables.h -@@ -144,6 +144,7 @@ - extern const char* tunable_dsa_cert_file; - extern const char* tunable_dh_param_file; - extern const char* tunable_ecdh_param_file; - extern const char* tunable_ssl_ciphers; -+extern const char* tunable_ssl_ciphersuites; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1009,6 +1009,16 @@ - - Default: PROFILE=SYSTEM - .TP -+.B ssl_ciphersuites -+This option can be used to select which SSL cipher suites vsftpd will allow for -+encrypted SSL connections with TLSv1.3. See the -+.BR ciphers -+man page for further details. Note that restricting ciphers can be a useful -+security precaution as it prevents malicious remote parties forcing a cipher -+which they have found problems with. -+ -+Default: TLS_AES_256_GCM_SHA384 -+.TP - .B user_config_dir - This powerful option allows the override of any config option specified in - the manual page, on a per-user basis. Usage is simple, and is best illustrated diff --git a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch deleted file mode 100644 index 354cb83..0000000 --- a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch +++ /dev/null @@ -1,132 +0,0 @@ -diff --git a/features.c b/features.c -index d024366..3a60b88 100644 ---- a/features.c -+++ b/features.c -@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) - { - vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); - } -- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) - { - vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); - } -diff --git a/parseconf.c b/parseconf.c -index 3729818..2c5ffe6 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -87,6 +87,7 @@ parseconf_bool_array[] = - { "ssl_tlsv1", &tunable_tlsv1 }, - { "ssl_tlsv1_1", &tunable_tlsv1_1 }, - { "ssl_tlsv1_2", &tunable_tlsv1_2 }, -+ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index 09ec96a..5d9c595 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1_2; - } -+ if (!tunable_tlsv1_3) -+ { -+ options |= SSL_OP_NO_TLSv1_3; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index c96c1ac..e6fbb9d 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -68,6 +68,7 @@ int tunable_sslv3; - int tunable_tlsv1; - int tunable_tlsv1_1; - int tunable_tlsv1_2; -+int tunable_tlsv1_3; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -217,8 +218,9 @@ tunables_load_defaults() - tunable_sslv3 = 0; - tunable_tlsv1 = 0; - tunable_tlsv1_1 = 0; -- /* Only TLSv1.2 is enabled by default */ -+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */ - tunable_tlsv1_2 = 1; -+ tunable_tlsv1_3 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -diff --git a/tunables.h b/tunables.h -index 8d50150..6e1d301 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ - extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ - extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ -+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 815773f..c37a536 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -555,7 +555,7 @@ Default: YES - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v2 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: NO - .TP -@@ -563,7 +563,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v3 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: NO - .TP -@@ -571,7 +571,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: NO - .TP -@@ -579,7 +579,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1.1 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: NO - .TP -@@ -587,7 +587,15 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1.2 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_3 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.3 protocol connections. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: YES - .TP diff --git a/fix-str_open.patch b/fix-str_open.patch new file mode 100644 index 0000000..e5d5bd9 --- /dev/null +++ b/fix-str_open.patch @@ -0,0 +1,27 @@ +--- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200 ++++ sysstr.c 2022-07-27 09:54:24.043081352 +0200 +@@ -74,19 +74,11 @@ + int + str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) + { +- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown; +- switch (mode) +- { +- case kVSFSysStrOpenReadOnly: +- open_mode = kVSFSysUtilOpenReadOnly; +- break; +- case kVSFSysStrOpenUnknown: +- /* Fall through */ +- default: +- bug("unknown mode value in str_open"); +- break; +- } +- return vsf_sysutil_open_file(str_getbuf(p_str), open_mode); ++ if (mode == kVSFSysStrOpenReadOnly) ++ return vsf_sysutil_open_file(str_getbuf(p_str), kVSFSysUtilOpenReadOnly); ++ ++ bug("unknown mode value in str_open"); ++ return -1; + } + + int diff --git a/sources b/sources new file mode 100644 index 0000000..e0f928f --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee diff --git a/SOURCES/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch b/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch similarity index 100% rename from SOURCES/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch rename to vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch diff --git a/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch b/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch new file mode 100644 index 0000000..c81d0e6 --- /dev/null +++ b/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch @@ -0,0 +1,45 @@ +diff --git a/ssl.c b/ssl.c +--- ssl.c ++++ ssl.c +@@ -36,7 +36,7 @@ static SSL* get_ssl(struct vsf_session* p_sess, int fd); + static int ssl_session_init(struct vsf_session* p_sess); + static void setup_bio_callbacks(); + static long bio_callback( +- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); ++ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed); + static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); + static int ssl_alpn_callback(SSL* p_ssl, + const unsigned char** p_out, +@@ -88,7 +88,7 @@ + long options; + int verify_option = 0; + SSL_library_init(); +- p_ctx = SSL_CTX_new(SSLv23_server_method()); ++ p_ctx = SSL_CTX_new(TLS_server_method()); + if (p_ctx == NULL) + { + die("SSL: could not allocate SSL context"); +@@ -692,17 +689,19 @@ + static void setup_bio_callbacks(SSL* p_ssl) + { + BIO* p_bio = SSL_get_rbio(p_ssl); +- BIO_set_callback(p_bio, bio_callback); ++ BIO_set_callback_ex(p_bio, bio_callback); + p_bio = SSL_get_wbio(p_ssl); +- BIO_set_callback(p_bio, bio_callback); ++ BIO_set_callback_ex(p_bio, bio_callback); + } + + static long + bio_callback( +- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret) ++ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed) + { + int retval = 0; + int fd = 0; ++ (void) len; ++ (void) processed; + (void) p_arg; + (void) argi; + (void) argl; + diff --git a/vsftpd-3.0.5-replace-old-network-addr-functions.patch b/vsftpd-3.0.5-replace-old-network-addr-functions.patch new file mode 100644 index 0000000..89e6257 --- /dev/null +++ b/vsftpd-3.0.5-replace-old-network-addr-functions.patch @@ -0,0 +1,139 @@ +diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c +--- vsftpd-3.0.5-orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200 ++++ vsftpd-3.0.5/postlogin.c 2023-02-13 16:34:05.244467476 +0100 +@@ -27,4 +27,6 @@ + #include "ssl.h" + #include "vsftpver.h" ++#include ++#include + #include "opts.h" + +@@ -628,9 +629,10 @@ + else + { + const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr); ++ static char result[INET_ADDRSTRLEN]; + if (p_v4addr) + { +- str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr)); ++ str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN)); + } + else + { +diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c +--- vsftpd-3.0.5-orig/sysutil.c 2012-09-16 09:07:38.000000000 +0200 ++++ vsftpd-3.0.5/sysutil.c 2023-02-13 16:08:58.557153109 +0100 +@@ -2205,20 +2205,13 @@ + const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr; + if (p_sockaddr->sa_family == AF_INET) + { +- return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr); ++ static char result[INET_ADDRSTRLEN]; ++ return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN); + } + else if (p_sockaddr->sa_family == AF_INET6) + { +- static char inaddr_buf[64]; +- const char* p_ret = inet_ntop(AF_INET6, +- &p_sockptr->u.u_sockaddr_in6.sin6_addr, +- inaddr_buf, sizeof(inaddr_buf)); +- inaddr_buf[sizeof(inaddr_buf) - 1] = '\0'; +- if (p_ret == NULL) +- { +- inaddr_buf[0] = '\0'; +- } +- return inaddr_buf; ++ static char result[INET6_ADDRSTRLEN]; ++ return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN); + } + else + { +@@ -2227,12 +2220,6 @@ + } + } + +-const char* +-vsf_sysutil_inet_ntoa(const void* p_raw_addr) +-{ +- return inet_ntoa(*((struct in_addr*)p_raw_addr)); +-} +- + int + vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr) + { +@@ -2241,7 +2228,7 @@ + { + bug("bad family"); + } +- if (inet_aton(p_text, &sin_addr)) ++ if (inet_pton(AF_INET, p_text, &sin_addr)) + { + vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr, + &sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr)); +@@ -2257,37 +2244,46 @@ + vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, + const char* p_name) + { +- struct hostent* hent = gethostbyname(p_name); +- if (hent == NULL) ++ struct addrinfo *result; ++ struct addrinfo hints; ++ int ret; ++ ++ memset(&hints, 0, sizeof(struct addrinfo)); ++ hints.ai_family = AF_UNSPEC; ++ ++ if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0) + { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret)); + die2("cannot resolve host:", p_name); + } + vsf_sysutil_sockaddr_clear(p_sockptr); +- if (hent->h_addrtype == AF_INET) ++ if (result->ai_family == AF_INET) + { +- unsigned int len = hent->h_length; ++ unsigned int len = result->ai_addrlen; + if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr)) + { + len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr); + } + vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr); + vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr, +- hent->h_addr_list[0], len); ++ &result->ai_addrlen, len); + } +- else if (hent->h_addrtype == AF_INET6) ++ else if (result->ai_family == AF_INET6) + { +- unsigned int len = hent->h_length; ++ unsigned int len = result->ai_addrlen; + if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr)) + { + len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr); + } + vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr); + vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr, +- hent->h_addr_list[0], len); ++ &result->ai_addrlen, len); + } + else + { +- die("gethostbyname(): neither IPv4 nor IPv6"); ++ freeaddrinfo(result); ++ die("getaddrinfo(): neither IPv4 nor IPv6"); + } ++ freeaddrinfo(result); + } + +diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h +--- vsftpd-3.0.5-orig/sysutil.h 2021-05-18 08:50:21.000000000 +0200 ++++ vsftpd-3.0.5/sysutil.h 2023-02-13 15:59:22.088331075 +0100 +@@ -277,7 +277,6 @@ + + const char* vsf_sysutil_inet_ntop( + const struct vsf_sysutil_sockaddr* p_sockptr); +-const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr); + int vsf_sysutil_inet_aton( + const char* p_text, struct vsf_sysutil_sockaddr* p_addr); + diff --git a/vsftpd-3.0.5-use-old-tlsv-options.patch b/vsftpd-3.0.5-use-old-tlsv-options.patch new file mode 100644 index 0000000..7c37ce9 --- /dev/null +++ b/vsftpd-3.0.5-use-old-tlsv-options.patch @@ -0,0 +1,15 @@ +--- parseconf-orig.c 2022-10-25 15:17:18.990701984 +0200 ++++ parseconf.c 2022-10-25 15:12:44.213480000 +0200 +@@ -85,9 +85,9 @@ + { "ssl_sslv2", &tunable_sslv2 }, + { "ssl_sslv3", &tunable_sslv3 }, + { "ssl_tlsv1", &tunable_tlsv1 }, +- { "ssl_tlsv11", &tunable_tlsv1_1 }, +- { "ssl_tlsv12", &tunable_tlsv1_2 }, +- { "ssl_tlsv13", &tunable_tlsv1_3 }, ++ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, ++ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, ++ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, diff --git a/SOURCES/vsftpd-generator b/vsftpd-generator old mode 100755 new mode 100644 similarity index 100% rename from SOURCES/vsftpd-generator rename to vsftpd-generator diff --git a/SOURCES/vsftpd.ftpusers b/vsftpd.ftpusers similarity index 100% rename from SOURCES/vsftpd.ftpusers rename to vsftpd.ftpusers diff --git a/SOURCES/vsftpd.pam b/vsftpd.pam similarity index 100% rename from SOURCES/vsftpd.pam rename to vsftpd.pam diff --git a/SOURCES/vsftpd.service b/vsftpd.service similarity index 100% rename from SOURCES/vsftpd.service rename to vsftpd.service diff --git a/SPECS/vsftpd.spec b/vsftpd.spec similarity index 85% rename from SPECS/vsftpd.spec rename to vsftpd.spec index 6ed880d..f8020e7 100644 --- a/SPECS/vsftpd.spec +++ b/vsftpd.spec @@ -1,13 +1,12 @@ %global _generatorsdir %{_prefix}/lib/systemd/system-generators Name: vsftpd -Version: 3.0.3 -Release: 36%{?dist}.3 +Version: 3.0.5 +Release: 10%{?dist}.1 Summary: Very Secure Ftp Daemon -Group: System Environment/Daemons # OpenSSL link exception -License: GPLv2 with exceptions +License: GPL-2.0-only WITH vsftpd-openssl-exception URL: https://security.appspot.com/vsftpd.html Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz Source1: vsftpd.xinetd @@ -20,6 +19,7 @@ Source8: vsftpd@.service Source9: vsftpd.target Source10: vsftpd-generator +BuildRequires: make BuildRequires: pam-devel BuildRequires: libcap-devel BuildRequires: openssl-devel @@ -49,8 +49,8 @@ Patch17: 0017-Fix-an-issue-with-timestamps-during-DST.patch Patch18: 0018-Change-the-default-log-file-in-configuration.patch Patch19: 0019-Introduce-reverse_lookup_enable-option.patch Patch20: 0020-Use-unsigned-int-for-uid-and-gid-representation.patch -Patch21: 0021-Introduce-support-for-DHE-based-cipher-suites.patch -Patch22: 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +Patch21: 0021-Follow-crypto-policies-for-ssl-ciphers.patch +Patch22: 0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch Patch23: 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch Patch24: 0024-Introduce-new-return-value-450.patch Patch25: 0025-Improve-local_max_rate-option.patch @@ -61,17 +61,12 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch -Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch -Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch -Patch40: 0040-Use-system-wide-crypto-policy.patch -Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch -Patch43: 0043-Enable-only-TLSv1.2-by-default.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch @@ -88,16 +83,20 @@ Patch56: 0056-Log-die-calls-to-syslog.patch Patch57: 0057-Improve-error-message-when-max-number-of-bind-attemp.patch Patch58: 0058-Make-the-max-number-of-bind-retries-tunable.patch Patch59: 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch -Patch60: 0001-Move-closing-standard-FDs-after-listen.patch -Patch61: 0002-Prevent-recursion-in-bug.patch -Patch62: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch -Patch63: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch -Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch -Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch -Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch -Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch -Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch -Patch69: vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch +Patch61: 0001-Move-closing-standard-FDs-after-listen.patch +Patch62: 0002-Prevent-recursion-in-bug.patch +Patch63: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch +Patch64: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch +Patch65: 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch +Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch +Patch68: 0002-Drop-an-unused-global-variable.patch +Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch +Patch70: fix-str_open.patch +Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch +Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch +Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch +Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch + %description vsftpd is a Very Secure FTP daemon. It was written completely from scratch. @@ -107,12 +106,13 @@ scratch. cp %{SOURCE1} . %build + %ifarch s390x sparcv9 sparc64 -make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \ +%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \ %else -make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \ +%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \ %endif - LINK="-pie -lssl" %{?_smp_mflags} + LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags} %install mkdir -p $RPM_BUILD_ROOT%{_sbindir} @@ -165,50 +165,127 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog -* Wed Dec 17 2025 Tomas Korbar - 3.0.3-36.3 -- Rebuild to test with proper configuration -- Related: RHEL-134160 - -* Wed Dec 17 2025 Tomas Korbar - 3.0.3-36.2 -- Rebuild to test with proper configuration -- Related: RHEL-134160 - -* Wed Dec 17 2025 Tomas Korbar - 3.0.3-36.1 +* Tue Dec 16 2025 Tomas Korbar - 3.0.5-10.1 - Fix CVE-2025-14242 -- Resolves: RHEL-134160 +- Resolves: RHEL-134158 -* Thu Apr 06 2023 Richard Lescak -3.0.3-36 -- add patch to provide option for TLSv1.3 ciphersuites -- Resolves: rhbz#2069733 +* Thu Jul 10 2025 Pavol Žáčik - 3.0.5-10 +- Fix cryptographic agility issues + Resolves: RHEL-99533 -* Fri Dec 03 2021 Artem Egorenkov - 3.0.3-35 +* Tue Oct 29 2024 Troy Dawson - 3.0.5-9 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Tue Aug 20 2024 Tomas Korbar - 3.0.5-8 +- Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled +- Resolves: RHEL-54726 + +* Mon Jun 24 2024 Troy Dawson - 3.0.5-7 +- Bump release for June 2024 mass rebuild + +* Sat Jan 27 2024 Fedora Release Engineering - 3.0.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jul 22 2023 Fedora Release Engineering - 3.0.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu May 04 2023 Richard Lescak - 3.0.5-4 +- add option for TLSv1.3 ciphersuites +- SPDX migration + +* Fri Feb 17 2023 Richard Lescak - 3.0.5-3 +- make vsftpd compatible with Openssl 3.0+ +- replace old network functions + +* Sat Jan 21 2023 Fedora Release Engineering - 3.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 28 2022 Richard Lescak 3.0.5-1 +- rebase to version 3.0.5 + +* Sat Jul 23 2022 Fedora Release Engineering - 3.0.3-51 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Sat Jan 22 2022 Fedora Release Engineering - 3.0.3-50 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Oct 27 2021 Artem Egorenkov - 3.0.3-49 - add option to disable TLSv1.3 -- Resolves: rhbz#1638375 +- Resolves: rhbz#2017705 -* Mon Apr 12 2021 Artem Egorenkov - 3.0.3-34 +* Wed Oct 13 2021 Artem Egorenkov - 3.0.3-48 +- ALPACA fix backported from upstram 3.0.5 version +- Resolves: rhbz#1975648 + +* Wed Oct 13 2021 Artem Egorenkov - 3.0.3-47 +- Temporary pass -Wno-deprecated-declarations to gcc to ignore + deprecated warnings to be able to build against OpenSSL-3.0 +- Resolves: rhbz#1962603 + +* Tue Sep 14 2021 Sahana Prasad - 3.0.3-46 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 3.0.3-45 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Apr 8 2021 Artem Egorenkov - 3.0.3-44 - Enable support for wide-character strings in logs - Replace unprintables with HEX code, not question marks -- Resolves: rhbz#1947900 -* Mon Nov 02 2020 Artem Egorenkov - 3.0.3-33 +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3.0.3-43 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Wed Jan 27 2021 Fedora Release Engineering - 3.0.3-42 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Nov 27 2020 Timm Bäder - 3.0.3-41 +- Fix str_open() so it doesn't warn when compiled with clang +- Pass $RPM_LD_FLAGS when linking + +* Mon Nov 02 2020 Artem Egorenkov - 3.0.3-40 - Unit files fixed "After=network-online.target" -- Resolves: rhbz#1893636 -* Tue Mar 17 2020 Ondřej Lysoněk - 3.0.3-32 +* Wed Jul 29 2020 Fedora Release Engineering - 3.0.3-39 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Mar 17 2020 Ondřej Lysoněk - 3.0.3-38 - Removed a hint about the ftp_home_dir SELinux boolean from the config file - Resolves: rhbz#1623424 -* Thu Feb 13 2020 Ondřej Lysoněk - 3.0.3-31 +* Thu Feb 13 2020 Ondřej Lysoněk - 3.0.3-37 - Fix timestamp handling in MDTM - Resolves: rhbz#1567855 -* Thu Nov 28 2019 Ondřej Lysoněk - 3.0.3-30 -- Fix a problem with bad utmp entries when pututxline() fails -- Resolves: rhbz#1688852 +* Fri Feb 07 2020 Ondřej Lysoněk - 3.0.3-36 +- Fix build with gcc 10 +- Resolves: rhbz#1800239 -* Thu Nov 28 2019 Ondřej Lysoněk - 3.0.3-29 +* Fri Jan 31 2020 Fedora Release Engineering - 3.0.3-35 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Tom Stellard - 3.0.3-34 +- Use make_build macro + +* Thu Nov 28 2019 Ondřej Lysoněk - 3.0.3-33 +- Finish up the fix to the problem with bad utmp entries when pututxline() fails +- Resolves: rhbz#1688852 +- Resolves: rhbz#1737433 + +* Mon Aug 05 2019 Ondřej Lysoněk - 3.0.3-32 +- Partially fix problem with bad utmp entries when pututxline() fails +- Resolves: rhbz#1688848 + +* Sat Aug 03 2019 Ondřej Lysoněk - 3.0.3-31 - Fix segfault when listen() returns an error -- Resolves: rhbz#1734340 +- Resolves: rhbz#1666380 + +* Sat Jul 27 2019 Fedora Release Engineering - 3.0.3-30 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 3.0.3-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Wed Jul 25 2018 Ondřej Lysoněk - 3.0.3-28 - Rebuilt, switched to SHA512 source tarball hash diff --git a/SOURCES/vsftpd.target b/vsftpd.target similarity index 100% rename from SOURCES/vsftpd.target rename to vsftpd.target diff --git a/SOURCES/vsftpd.user_list b/vsftpd.user_list similarity index 100% rename from SOURCES/vsftpd.user_list rename to vsftpd.user_list diff --git a/SOURCES/vsftpd.xinetd b/vsftpd.xinetd similarity index 100% rename from SOURCES/vsftpd.xinetd rename to vsftpd.xinetd diff --git a/SOURCES/vsftpd@.service b/vsftpd@.service similarity index 100% rename from SOURCES/vsftpd@.service rename to vsftpd@.service diff --git a/SOURCES/vsftpd_conf_migrate.sh b/vsftpd_conf_migrate.sh old mode 100755 new mode 100644 similarity index 100% rename from SOURCES/vsftpd_conf_migrate.sh rename to vsftpd_conf_migrate.sh